Privacy, Licensing, and Policies

Feb 18, 2025

Information Technology Incident Response and Data Management

Evidence Collection and Chain of Custody

  • Chain of Custody: Essential to maintain evidence integrity.
    • Documents everyone who has contact with the evidence.
    • Prevents tampering by tracking access history.
  • Digital Evidence:
    • Use hashing to ensure evidence is unchanged.
    • Sign with a digital signature to confirm authenticity and integrity.
  • Physical Evidence:
    • Label and catalog all evidence rigorously.
    • Use an evidence container to seal and preserve.

First Responder Responsibilities

  • Discover and mitigate incidents; time is crucial.
  • Immediately report incidents to management or law enforcement.
  • Responsible for collecting evidence and preventing its destruction.

Collecting Digital Evidence

  • Perform a bit-for-bit or byte-for-byte copy of storage drives.
  • Use a hardware write blocker to prevent data changes.
  • Create a hash of collected data for later verification.

Importance of Documentation

  • Document all incident response activities.
  • Include:
    • Summary of the event.
    • Detailed step-by-step data acquisition processes.
    • Data analysis and conclusions.

Software Licensing

  • Types of Licenses:

    • Perpetual License: One-time purchase, use indefinitely.
    • Subscription License: Use for a specified period.
    • Per Seat/Concurrent Licenses: Limited by user or simultaneous usage.

  • Free and Open Source Software (FOSS):

    • No cost, source code available.
    • Contrast with closed source software (e.g., Microsoft, Apple).

  • End-User Licensing Agreement (EULA):

    • Defines usage terms and conditions.
    • Typically presented during software installation.

Payment Card Industry Data Security Standard (PCI DSS)

  • PCI DSS: Standards for protecting credit card information.
    • Secure networks, protect data, manage vulnerabilities, control access, monitor systems.

Personally Identifiable Information (PII)

  • Sensitive information requiring protection.

  • Example: U.S. Office of Personnel Management data breach (July 2015).

  • European Union General Data Protection Regulation (GDPR):

    • Controls personal data use and storage.
    • "Right of erasure" allows request for data deletion.
    • Privacy policies must detail data handling practices.

Protected Health Information (PHI)

  • Regulated by HIPAA (Health Insurance Portability and Accountability Act).
  • Concerns health status, care appointments, and health data privacy.

Data Retention Requirements

  • Purpose:

    • Version control and recovery from backups.
    • Insurance against data loss (e.g., virus, ransomware).
    • Legal requirements for specific data types (e.g., corporate tax information).

  • Methods:

    • Tape backups, off-site storage, legal compliance for email and certain data.